Malware authors have regularly used signed binaries to bypass the Apple security mechanism and infect macOS users. We came across one such sample and this time they are baiting users with job vacancies at Coinbase while silently pushing a signed binary in the background and doing their malicious activity. This is an instance of Operation In(ter)ception by Lazarus.

This malware under consideration is a fat binary containing x86_64 and ARM64 architecture compiled executable that can be executed in both Intel & Apple silicon machines.

Figure 1 : Fat binary

The malware is a signed executable. The developer id belonged to Shankey Nohria but it has been revoked as of now.

Figure 2 : Revoked certificate

When executed, it drops 4 files in the folder ~/Library/Fonts (The ~ character stands for the user’s home directory).

1. A PDF document named Coinbase_online_careers_2022_07.pdf

2. A package bundle named which contains a fat binary

3. A downloader agent which connects to the C2 named safarifontsagent. This is also a fat binary

4. A zero byte file named Finder.

The PDF contains job details at Coinbase company. The PDF is created with Microsoft Word 2019, version 1.7. The author of the document is mentioned as “UChan”.

Figure 3 : Dropped pdf properties

As the malware executes, the pdf pops up on the screen but in the background the malware begins its malicious operation, starting with wiping the current saved state of the terminal. 

Figure 4 : Removing the saved state of terminal

Then it drops 2 files and then extracts those files using tar command into and safarifontsagent.

Figure 5 : Extracting the dropped files into executable binaries

Once the 2 files have been extracted, LaunchAgent is created in the name of iTunes_trush with the target binary set as safarifontsagent, using the function startDaemon().

Figure 6 : LaunchAgent created
Figure 7 : Dropped files

After dropping the above files, the malware executes (2nd stage). 

Figure 8 : The second stage file gets executed by the malware

The main function of is to execute safarifontsagent (3rd stage) binary which communicates with the C2.

Figure 9 : Function to execute the 3rd stage malware

Upon execution, the safarifontsagent calls a user defined function named DownloadFile() with couple of arguments, one of the arguments is an URL “hxxps(:)//concrecapital(.)com” appended with the user name of the victim machine which can be seen in Figure 10.

Figure 10 : Argument of the DownloadFile() function 

Then the malware queries the system with commands like getuid, getpwuid, getuname etc., to get information. After that, it uses the commands “sw_vers -productVersion” & “sysctlbyname hw.cpufrequency” to get information about the victim’s machine . 

After that the malware calls the curl_easy_init() function to get a curl handle for communication with C2.

Figure 11 : Curl commands to receive the payload

Then the malware opens the Finder file in ‘wb’ (Open for writing in binary) mode.

The malware uses the information that was gathered earlier, i.e. product version, cpu speed etc. and appends it to the url hxxps(:)//concrecapital(.)com. Then the url with the appended data is passed as an argument to curl_easy_setopt() function.

Figure 12 :URL to get the payload from the C2

It then uses functions like  curl_easy_setopt & curl_easy_perform to connect to the C2 and get the payload that will be written in the Finder file.

Figure 13 : Finder file is opened in write mode and Curl operations in motion

The C2 server was not alive to respond so we were unable to find out what the payload was.

Threat actors targeting macOS users are increasing everyday. So, as a user, one needs to be cautious when executing unknown executables. Users are requested to use a reputable security product such as “K7 Antivirus for Mac” and to keep it updated so as to stay safe from such threats.


Hash : 4a7a1626b6baf8c917945b8fc414c8b9 (parent malware)

Detection Name :  Trojan ( 0040f2c11 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Lazarus APT’s Operation Interception Uses Signed Binary”